This question came from our site for professional and enthusiast programmers. Votes, comments, and answers are locked due to the question being closed here, but it may be eligible for editing and reopening on the site where it originated.

2 Answers
2

Although I haven't been billed, I have spoken to vendors about their policies in this regard. Basically they cut you off when it gets very bad (in their view potentially affecting their whole network), but otherwise they will bill you. DDoS against your servers is not something they feel they need to absorb. I was investigating for an ecommerce outfit that didn't want to go dark even if there was a DDoS (so being cut off but not getting a bill was not a good option), and some vendors had specific solutions (for money) that could help provide protection. If your use of the service is public facing, it is absolutely something you need to be thinking about.

You should ask the specific cloud vendor you are working with how they handle this sort of stuff.

As an example, over night someone could perform an HTTP 'GET' flood on your website(s) and request the same resources over and over in an attempt to increase your bandwidth costs, and I assume this sort of stuff will happen in the future, as it is easy to tell where a website is hosted.

You can end up with hundreds of GBs worth of traffic in a single night, and a provider may refuse to do anything about it, as it is your duty to deploy some system of protection on your server(firewall, ips/ids). Providers will most likely never provide protection against this sort of attack, as most are using hardware specialized in stopping TCP/UDP/SYN attacks, and GET floods may result in false positives more often than the previous types of attacks.

If you know you have problems with attacks, you may want to use a host with DDoS protection. An idea would be to use a specialized host close by to your cloud provider and simply proxy requests through that server which should be heavily filtered, as this may work since I don't know many providers that are currently offering any options for DDoS protection, possibly due to the complexity of setting up ips/ids hardware in such an environment in which IP Addresses change constantly, and one minute a server may be hosting one website, then the instance is removed and it starts hosting another; this poses a problem, as a lot of ips/ids hardware is based on analysis of traffic patterns in order to block 'bad' traffic.

Wouldn't you still have to open up a port on the cloud server(s) that you proxy to ? I'm just thinking that if an attacker got hold of the destination URL, they could run an attack that bypasses the proxy server.
–
gareth_bowlesOct 20 '09 at 22:38

@gareth_bowles, first the fact that the URL is not publicized helps, but the stronger defense against that is to only allow traffic from the proxy or otherwise known/useful sources.
–
YishaiOct 25 '09 at 18:31